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Abstract 

The laws of quantum mechanics allow unconditionally secure key distribution protocols. Neverthe- 
less, security proofs of traditional quantum key distribution (QKD) protocols rely on a crucial assump- 
tion, the trustworthiness of the quantum devices used in the protocol. In device-independent QKD, even 
this last assumption is relaxed: the devices used in the protocol may have been adversarially prepared, 
and there is no a priori guarantee that they perform according to specification. Proving security in this 
setting had been a central open problem in quantum cryptography. 

We give the first device-independent proof of security of a protocol for quantum key distribution that 
guarantees the extraction of a linear amount of key even when the devices are subject to a constant rate of 
noise. Our only assumptions are that the laboratories in which each party holds his or her own device are 
spatially isolated, and that both devices, as well as the eavesdropper, are bound by the laws of quantum 
mechanics. All previous proofs of security relied either on the use of many independent pairs of devices, 
or on the absence of noise. 

1 Introduction 



Quantum key distribution MBB84[ |Eke911 together with its proof of security | May01| ISP001 appeared to 



have achieved the holy grail of cryptography — unconditional security, or a scheme whose security was 
based solely on the laws of physics. However, practical implementations of QKD protocols necessarily 
involve imperfect devices [BB B + 92llMHH + 97l . and it was soon realized that these imperfections could be 
exploited by a malicious eavesdropper to break the "unconditional" security of QKD (see e.g. HSK091 for a 
review). 

Mayers and Yao MMY98I put forth a vision for restoring unconditional security in the presence of im- 
perfect or even maliciously designed devices, by subjecting them to tests that they fail unless they behave 
consistently with "honest" devices. The fundamental challenge they introduced was of device-independent 
quantum key distribution (DIQKD): establishing the security of a QKD protocol based only on the validity 
of quantum mechanics, the physical isolation of the devices and the passing of certain statistical tests. The 
germ of the idea for device-independence may already be seen in Ekert's original entanglement-based pro- 
tocol for QKD HEke91ll . and was made more explicit by Barrett, Hardy, and Kent HBHK05II . who showed 
how to generate a single random bit secure against any non-signalling eavesdropper. A long line of re- 
search on DIQKD seeks to make the qualitative argument from ||BHK051 quantitative, devising protocols 
that extract an amount of key that is linear in the number of uses of the devices, and is secure against in- 



creasingly general eavesdropping strategies. Initial works HAGM061 IAMP061 |SGB + Q6l give efficient and 
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noise-tolerant protocols that are secure against individual attacks by non-signalling eavesdroppers. Sub- 
sequent work jMRC + 09l IMas091 and MHRW10I also proved security against collective attacks. Other 
works flABG + 07l|PAB + 09llMRC + 09llHR101IMPAlll obtain better key rates under the stronger assumption 
that the eavesdropper is bound by the laws of quantum mechanics. All these results, however, could only be 
established under restrictive independence assumptions on the devices, e.g. in recent work HHR101 IMPA111 
a proof of security based on collected statistics requires that the n uses of each device are causally indepen- 
dent: measurements performed at successive steps of the protocol commute with each other. 

Very recently two papers BBCK12bl IRUV121 announced proofs of security of DIQKD without requir- 
ing any independence assumption between the different uses of the devices. Unfortunately, although the 
approaches in MBCK12bl IRUV121 are very different both implied protocols are polynomially inefficient and 
unable to tolerate noisy devices. The protocol used in HBCK12M is very similar to the one originally intro- 
duced in MBHK05I1 . and requires a large number of uses of a pair of noise-free devices in order to generate 
a single bit of key. In the case of MRUV12II . DIQKD is obtained as a corollary of very strong testing that 
allows the shared quantum state and operators of the two untrusted devices to be completely characterized. 
It is an open question whether such strong testing can be achieved in a manner that is robust to noise. 

A major issue in QKD is dealing with the noise inherent in even the best devices. Indeed, a good 
DIQKD protocol should differentiate devices that are "honest but noisy" from devices that may attempt to 
take advantage of the protocol's necessary noise tolerance in order to leak information to an eavesdropper 
by introducing correlations in their "errors" HBCK12al . The protocols in HB CK 1 2b 1 IRU V 1 2l do not achieve 
this, since they cannot tolerate any constant noise rate. This raises the question: is device-independent QKD 
even possible without independence assumptions in a realistic, noise-tolerant scenario? 



1.1 Results 

We answer this question in the affirmative by giving the first complete device-independent proof of security 
of quantum key distribution that tolerates a constant noise rate and guarantees the generation of a linear 
amount of key. Our only assumption on the devices is that they can be modeled by the laws of quantum 
mechanics, and that they are spatially isolated from each other and from any adversary's laboratory. In 
particular, we emphasize that the devices may have quantum memory. While the proof of security is quite 
non-trivial (it builds upon ideas from the work on certifiable randomness generation mentioned below), the 
actual protocol whose device independence properties we establish is quite simple. It is a small valiant of 
Ekert's entanglement-based protocol HEke9 1 II . 

In the protocol, the users Alice and Bob make m successive uses of their respective devices. At each 
step, Alice (resp. Bob) privately chooses a random input x, G {0, 1,2} (resp. y ; G {0, 1}) for her device, 
collecting an output bit a, (resp. bf). If the devices were honestly implemented they would share Bell states 
\ip) = 1/^2|00) + 1/V2|11), and measure their qubits according to the following strategy: if x, = 
measure in the computational basis, if x, = 1 measure in the Hadamard basis and if x, = 2 measure in the 
37r/8-rotated basis. If = measure in the 7r/8-rotated basis and if y ; - = 1 measure in the 3/r/8-rotated 
basis. 

To test the devices, after the m steps have been completed, the users select a random subset B C 
{1, . . . ,m} of size |B| = jm, where 7 > is a small constant, and publicly announce their inputs and 
outputs in B. Rounds in B will be called "Bell rounds". Let z ; = 1 if and only if a, ^ 2 and a, © ^ x, A y ; , 
or (cij,bi) = (2,1) and a t ^ b{. The users jointly compute the noise rate rj := (1/|B|) y_^- eB z, — (1 — opt), 
where opt = (2 cos 2 n/8 + 1)/3Q If rj > 0.5%, say, they abort. If not, they announce their remaining 

'This corresponds to estimating the average amount by which the devices' outputs in B differ from a maximal violation of a 
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input choices. Let C C {1, ... , m} be the steps in which (a,, £>,) = (2, 1). We will call the rounds in C the 
"check rounds"; outputs from the rounds C — B constitute the raw key. The users conclude by performing 
standard information reconciliation and privacy amplification steps, extracting a key of length Km for some 
k = K(tj,s), where e is the desired security parameter. (We refer to Figures Q] and |2] for a more detailed 
description of the protocol.) 

Theorem 1 (Informal). Let m be a large enough integer and e = 2~ c ° m , where Co > is a small constant. 
Given any pair of spatially isolated quantum devices A and B, the protocol described above generates a 
shared key K of length xm, where k ~ 1.4%, that is e-secure: the probability that the users Alice and Bob 
do not abort and that the adversary can obtain information about the key is at most e. 

This informal statement hides a tradeoff between the parameters e, t], and k: the larger the security 
parameter e and the smaller the noise rate rj, the higher the key rate k. As tj — > (provided e is chosen large 
enough) our proof guarantees a secure key rate k 2.5%, which with our setting of parameters corresponds 
to about 15% of the raw key. Conversely, the maximum noise rate for which we may extract a key of positive 
length is rj max 1.2%. This is worse than the optimal key rates obtained under the causal independence 
assumption BMPA11II . but still quite reasonable. 

1.2 Proof overview and techniques 

We start with the observation that the randomness in the shared secret key must necessarily be generated by 
the two devices. Indeed, even though the users have the ability to generate perfect random bits privately, 
such bits cannot be used directly for the shared key, since any information transmitted about them is also 
available to the adversary. It follows that a necessary condition for DIQKD is that the users should be 
able to use their untrusted devices to generate certified randomness — randomness they can guarantee was 
not pre-encoded in the devices by the adversary, nor obtained as some function of the users' inputs to the 
devices. 

Luckily, the possibility of generating certified randomness has already been investigated. Building on an 
observation made in MC0IO6II . Pironio et al. llPAM + 10t devised a protocol in which the generation of random- 
ness could be certified solely by testing for a sufficiently large Bell inequality violation. In MFGSllirPMllH 
it was further shown that the randomness generated was secure against an arbitrary classical adversary. Con- 
currently, in II VV 1 1 II we gave a protocol that was secure even against a quantum adversary. This last protocol 
provides us with a solid starting point for DIQKD, since our goal is to prove that the quantum adversary, 
who may have fabricated the two devices, has no information about the shared random key. Nevertheless, 
extending this to DIQKD presents us with some serious new challenges. 

1. First, QKD is a task that involves two distant parties Alice and Bob. Any classical communication 
between Alice and Bob must take place in the clear and is therefore accessible to the adversary, thus 
giving her additional power. 

2. Second, in order to achieve QKD it is not sufficient just to generate randomness — the point of QKD is 
that Alice and Bob share the same random key. In our protocol this is accomplished by distinguishing 
two different types of rounds: Bell rounds, in which the violation of the CHSH inequality by the 
devices is estimated, and check rounds, in which the devices are supposed to produce identical outputs 
from which the key will be generated. Unfortunately Alice and Bob must exchange information about 
which rounds are which, and since the adversary has access to all communicated classical information, 

Bell inequality based on the CHSH inequality ICHSH69IIBC901 : see Section[2]for details. 
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this appears to render the Bell rounds pointless, since the adversary can ignore the Bell rounds and 
attack only those rounds which are used to generate the key (the check rounds). 

3. Finally, to be practical the protocol should tolerate noisy devices. As a result, the users can only 
expect a non-maximal amount of correlation, both in the Bell and check rounds. The randomness- 
certification protocol from MVV11I did not tolerate any noise — in fact, the absence of noise played 
a crucial role in the proof. As we already explained in the introduction, dealing with the presence of 
noise is one of the major conceptual and technical hurdles of the proof. 

We now explain how our proof technique addresses these challenges. The proof proceeds in two steps. 
As a first step, we argue that the following three conditions cannot hold simultaneously in any single round 
of the protocol: (i) the devices violate the CHSH inequality, whenever the round was selected as a Bell 
round (ii) the adversary can predict Bob's output, whenever the round was selected as a check round, and 
(iii) the no-signalling condition is satisfied between all three parties (Alice, Bob and the adversary). To 
derive a contradiction from (i)-(iii) we use a simple conceptual tool called the "guessing game", which was 
introduced in IIVV11I . The main idea is that conditions (i) and (ii) imply that the adversary and Alice will 
be able to team up to predict Bob's output from their sole respective input/output behavior, violating the 
no-signalling condition (iii). 

The second step is more challenging. All previous works on the subject reduced the general setting to a 
single-round scenario similar to the one outlined above by requiring some form of independence assumption 
on the devices or on the adversary's attack. We do not use any such assumption, and the main challenge is 
to deal with correlations between all rounds and the adversary in order to perform the reduction. 

Our starting point is the existence of a pair of devices that pass the protocol with non-negligible prob- 
ability, but such that the adversary may gain non-negligible information about the secret key generated at 
the end of the protocol. Our goal is to show the existence of a round z'o of the protocol in which conditions 
(i)-(iii) above are satisfied, thus deriving a contradiction. 

Our argument has two main ingredients. The first ingredient is the so-called "quantum reconstruction 
paradigm", a technique that was introduced in MDV101 and further developed in MDPVR12UVV1111 . What 
this achieves is the following: any adversary able to obtain non-negligible information about the generated 
key can be transformed into a seemingly much stronger adversary: she can predict the entire string of 
outputs of Bob's device on the check rounds (the rounds used to generate the key). Furthermore, the success 
probability of this "guessing measurement" is of the same order as the original distinguishing probability 
but does not depend on the length of the key — a fact that will be crucial to obtaining good parameters. In 
order to achieve this, the new adversary requires access to the same public information as the original one, 
together with a small number of additional "advice bits" taken from Bob's string of outputs. 

This stronger form of the adversary guarantees that condition (ii) above holds in all rounds with small 
but non-negligible probability. Furthermore, the checking performed as part of the protocol ensures that 
(i) also holds on average over all rounds, with probability of the same order. The natural idea in order to 
identify a round z'o in which conditions (i) and (ii) hold simultaneously with high probability is to perform 
conditioning: there must exist many rounds i such that, provided both conditions hold in rounds 1 to i — 1, 
they must hold in round i with high probability. 

Such conditioning, however, presents a new difficulty: it may introduce such correlations that condition 
(iii) is no longer satisfied. Indeed, recall that one of the main difficulties in analyzing the QKD protocol is 
that the adversary has considerable power, due to the large amount of public information that is leaked by the 
protocol — including the users' complete choice of inputs. Hence conditioning on a low probability event 
involving the outcome of a measurement performed by the adversary on her system introduces correlations 
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between inputs in all rounds. For instance, this conditioning could very well force the inputs in round t'o to 
be a particular pair, say (0,0), making the guarantees (i) and (ii) all but useless. 

The difficulty is reminiscent of one encountered in the analysis of parallel repetition, where conditioning 
on success in a subset of the parallel repeated games may introduce correlations among the players in the 
remaining games. Here, the situation is further complicated by the fact that it involves three parties involved 
in a relatively complex interaction. In particular, the conditioning is performed jointly on an event involving 
Alice and Bob (the CHSH violation observed in previous rounds being sufficiently large) on the one hand, 
and Bob and Eve (Eve's guess being correct) on the other. 

The final step in our proof consists in bounding the amount of correlation introduced by the conditioning. 
For this we use tools from information theory, including the chain rule for mutual information and the 
quantum Pinsker's inequality, which had not previously been applied to this setting. (Similar tools were 
already used by Holenstein in his derivation of a parallel repetition theorem for the case of two-player 
games with no-signalling players MHol09l .) 

1.3 Perspective 

We have not attempted to optimize the relationship between the parameters k, t] and e describing the key 
rate, the noise rate and the security parameter respectively, and it is likely that the explicit dependency 
stated in Theorem [8] can be improved by tightening our arguments. It is an interesting question to find out 
whether our approach can lead to a trade-off as good as the one that has been shown to be achievable under 
additional assumptions on the devices MMPAlll . One possibility for improvement would be to bias the 
users' input distribution towards the pair of inputs (2, 1) from which the raw key is extracted, as was done 
in e.g. BAMP06j : indeed, only a very small fraction of the rounds are eventually required to estimate the 
violation of the CHSH condition. 

Our proof crucially makes use of quantum mechanics to model the devices and the adversary. Can one 
obtain a fully device-independent proof of security of QKD against adversaries that are only restricted by 
the no-signalling principle? Barrett et al. MBCK12bl recently showed that such security is achievable in 
principle; however their protocol is highly inefficient and does not tolerate noisy devices. 

Organization of the paper. We start with some preliminaries in Section |2l introducing our notation, the 
information-theoretic quantities that will be used. We also summarize the main parameters of our protocol, 
which is described in Figures[T]and[2] In Section[3]we formally state our result and outline the security proof. 
The two main ingredients are the analysis of Protocol B, which is given in Section 01 and the "quantum 
reconstruction paradigm" introduced in Section[5] Finally, Section[6]contains probabilistic and information- 
theoretic lemmas used in some of the proofs. 

Acknowledgments. We thank Anthony Leverrier for many useful comments on a preliminary version of 
this manuscript. 

2 Preliminaries 

We assume familiarity with basic concepts and standard notation in quantum information, including den- 
sity matrices and distance measures such as the trace distance and the fidelity. We refer the reader to the 
books MNCOOHWilfll for detailed introductions. 
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Notation. We use roman capitals A, B, . . . , X both to refer to random variables and the registers, classical 
or quantum, that contain them. Calligraphic letters A, B, . . . , X are used to refer to the underlying Hilbert 
space. D ( X) denotes the set of density operators (non-negative matrices with trace 1) on X . For an arbitrary 
matrix A on X we let = TrV AA f denote its Schatten 1-norm. In denotes the natural logarithm and 

log the logarithm in base 2. For x G [0, 1], H(x) = —x log* — (1 — x) log(l — x) is the binary entropy 
function. 

Information theoretic quantities. Given a density matrix p G D (A), its von Neuman entropy is H(p) := 
— Tr(p\np). For a classical-quantum state pxA — Ylx Px\ x )i x \ ® Px £ D (X (g> A), where for every x, 
p x G D (A), the conditional entropy is defined as H(A\X) p := p x H(p x ). Given a state Pabx, where 
X is classical, the conditional mutual information is 

I(A:B\X) p := H(A\X) p + H(B\X) p - H(AB\X) p . 

We will use the following quantum analogue of the classical Pinsker's inequality (see e.g. Theorem 11.9.1 
in IWillll for a proof): for any p AB G D (AB), 

Wpab-Pa^PbWI < (2ln2) I(A:B) p . (1) 

The most important information measure in our context is the quantum conditional min-entropy, first intro- 
duced in MRen0511 . and defined as follows. 

Definition 2. Let pAg be a bipartite density matrix. The min-entropy of A conditioned on B is defined as 
H min (A\B) p := max{A G IR : 3cg G D (B) s.t. I^^IAa®^ > Pab}- 

We will often drop the subscript p when there is no doubt about the underlying state. The smooth 
min-entropy is defined as follows. 

Definition 3. Let e > and p A B a bipartite density matrix. The e-smooth min-entropy of A conditioned on 
B is defined as 

R e min (A\B) p := max H min (A\B) p , 

PAB£B{p AB ,£) 

where B{p A B, e) is a ball of radius s around PabE 

The CHSH condition. The security of our DIQKD protocol is based on the statistical verification that 
the pair of devices used have an input/output behavior consistent with certain pre-determined correlations, 
which are those expected of a "honest" quantum-mechanical pair of devices performing the measurements 
described below. 

Let A and B designate two spatially isolated devices. In the protocol, there are three possible choices of 
inputs x G {0, 1, 2} to A, and two possible inputs y G {0, 1} to B. Each of the 6 possible pairs of inputs is 
chosen with uniform probability 1/6. The devices are required to produce outputs a, b G {0, 1} respectively. 
The users select a random subset of the rounds of the protocol in which to evaluate the frequency with which 
the following constraints are satisfied. In case both inputs were in {0, 1}, the constraint on the outputs is the 
CHSH parity constraint a © b = x A y MCHSH69I . If the inputs are (2, 1) the constraint is that the outputs 

theoretically any distance measure could be used to define an £-ball. As has become customary, we use the purified distance, 
P{p,a) := yT— F(p,a) 2 , where ¥{■, ■) is the fidelity. 
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(a, b) should satisfy a © b = 0. Finally, for the remaining pair of inputs (2, 0) all pairs of outputs are valid. 
We will refer to this set of constraints collectively as "the CHSH condition". We note that the underlying 
Bell inequality is similar to the so-called "chained inequality" for two inputs HBC90II . 

Let opt be the maximum probability with which any two isolated devices, obeying the laws of quan- 
tum mechanics, may produce outputs satisfying the CHSH condition. It is not hard to show that opt = 
(2/3) cos 2 7r/8 + (1/3), which is achieved using the following strategy. The devices are initialized in 
a single EPR pair |Y) = ( 1 00) + /y2, each device holding one qubit. On input 0, A performs a 
measurement in the computational basis, and on input 1 it measures in the Hadamard basis. On input 0, B 
measures in the computational basis rotated by re/ 8. If A gets input 2, or if B gets input 1, they measure in 
the computational basis rotated by 3tt/ 8. The devices may be used repeatedly, and honest devices perform 
measurements on a fresh EPR pair at each use. 

Parameters. For convenience, we summarize here the main parameters of the key distribution protocol 
described in Figures Q] and [2] 

• m is the total number of rounds in the protocol (in each round, an input to each of A, B is chosen, and 
an output is collected). 

• B are the "Bell rounds", selected to perform parameter estimation. They are chosen uniformly at 
random under the constraint that |B| = ym, for some 7 > specified in the protocol. 

• t] is the tolerated error rate: the protocol aborts as soon as the fraction of rounds in B satisfying the 
CHSH condition is lower than opt — tj. 

• C C [m] are the "check rounds". Those are rounds in which the inputs to (A, B) are (2, 1). Since the 
inputs are chosen uniformly at random, the number of check rounds |C| is highly concentrated around 
m/6. 

• The target min-entropy rate k. This is the rate of min-entropy that the users Alice and Bob expect to 
be present in the check rounds, provided the protocol did not abort. Once information reconciliation 
and privacy amplification have been performed, a secret key of length roughly (k — H(2f/)) |C| will 
be produced. 

• £ is the security parameter: the statistical distance from uniform of the extracted key (conditioned on 
the eavesdropper's side information). Precisely, if K denotes the system containing the extracted key, 
we will obtain that | j p^i — pu K ® PE'\\i < where £' is a register containing all the side information 
available to an arbitrary quantum eavesdropper in the protocol, and pu K is the totally mixed state on 
as qubits as the key length. 

3 Analysis of the key distribution protocol 

The analysis of Protocol A, and the proof of Theorem [Q is performed in two steps. The first, main step 
consists in proving a lower bound on the quantum smooth conditional min-entropy H^ nin {Bo\XYA^B^£) 
of the outputs obtained by Bob in the check rounds C (conditioned on the protocol not aborting). This lower 
bound will depend on the maximal error rate tj that is tolerated by the users in the sub-protocol B (see Fig- 
ures Q] and |2] for a description of protocols A and B respectively). Here the lower bound is taken conditioned 
on the state of an arbitrary quantum adversary (whom we will call Eve and refer to indiscriminately as "the 
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Protocol A 



1. Let m and e,rj > be parameters given as input. Let C 7 be the constant from Theorem [8j and set 

7= (C 7 /rj 2 )\n{l/e)/m. 

2. Alice and Bob run Protocol B for m steps, choosing inputs x G {0,1,2}'" (resp. y G {0, l} m ) and 
obtaining outcomes a G {0, l} m (resp. b G {0, 1}'")- Let B be the set of rounds that were chosen to 
perform parameter estimation. 

3. Alice and Bob publicly reveal their choices of inputs. Let C be the set of rounds i in which (x lr y,) = 
(2, 1). If | |C| - m/6\ > lO0n they abort the protocol. 

4. Alice and Bob perform information reconciliation on their outputs in C — B, which constitute the raw 
key. For this, Bob sends a message of £ < H(2t]) |C| + log(2/ e) bits to Alice. 

5. Let k = k{i]) be as specified in Theorem [8] Alice and Bob perform privacy amplification using e.g. 
two-universal hashing, extracting a shared key of length (k — H(2tj) — 0(log(l/e)/m))|C| from 
the common (|C| — |B|)-bit string they obtained at the end of the previous step. 



Figure 1 : The device-independent key distribution protocol, Protocol A 



Protocol B 

1. Let m, 7 and tj be parameters given as input. 

2. Repeat, for i = 1, . . . , m: 

2.1 Alice picks X{ G {0,1,2}, and Bob picks G {0,1}, uniformly at random. They input x ; -,y; 
into their respective device, obtaining outputs a u b[ G {0, 1} respectively. 

3. Alice chooses a random subset B C [m] of size 7m and shares it publicly with Bob. Alice and 
Bob announce their input/output pairs in B, and compute the fraction of pairs satisfying the CHSH 
condition. Let (opt — //') be this fraction. If tj' > tj they abort the protocol. 



Figure 2: Theorem [8] shows that, at the end of protocol B, the bits Be generated by Bob's device in the 
check rounds C both have high smooth min-entropy, conditioned on the adversary's arbitrary quantum side 
information. 
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adversary" or "the eavesdropper") in the protocol, who has access to the information X, Y, Ag, £>b revealed 
publicly in the course of the protocol, as well as to a quantum system £ which may be correlated with the 
systems A, B of the devices. Such an estimate is stated in Theorem[8]in Section l331 below. 

The second step consists in showing that there exists appropriate protocols for the information reconcil- 
iation and privacy amplification steps, Steps [4] and [5] in Protocol A respectively, such that the lower bound 
on the conditional min-entropy from the first step guarantees the security (distance from uniform from the 
point of view of the adversary) and correctness (Alice and Bob should obtain the same key) of the key that 
is extracted. This step is standard, and all the ingredients required already appear in the literature. We 
summarize the result as Lemma|4]in Section 13721 below. 

Theorem [Qfollows immediately by combining Theorem [8] and LemmalU 

3.1 Probability space 

Before stating and proving formally our results, we formally define the random variables and events that 
will be used in their proof. 

Modeling the devices. Fix a pair of spatially isolated devices (A, B). Device A takes inputs in {0, 1, 2}, 
and device B takes inputs in {0, 1}. Whenever provided an input, each device produces an output in {0, 1}. 
The devices may be used repeatedly. We will assume that the pair (A,B) can be described by quantum 
mechanics: the devices are modeled by a pair of quantum registers; when provided an input each device 
performs a measurement on the state contained in the corresponding subsystem. 

We assume that user Alice holds A, and Bob is given B. In addition, there is an adversary Eve who 
holds an additional quantum register £, initialized in a state arbitrarily correlated with that of A and B. Let 
Pa x Bi£ be the density matrix describing the joint state of all three registers at the start of the protocol. 

We define the following random variables and events. X G {0,1, 2} m and Y 6 {0,1}'" are two uni- 
formly distributed random variables, used to represent the inputs to A, B respectively, as chosen in the 
protocol. A,B G {0, l} m are random variables denoting the outputs produced by the devices, when se- 
quentially provided their respective inputs X, Y. We will always use C C [m] to denote the set of "check" 
rounds, in which (X,-, Y,) = (2,1), and B C [m] the set of "Bell" rounds chosen by Alice and Bob to 
perform parameter estimation. 

Let PAiBj denote the reduced state of devices A and B in the z'-th round of the protocol (before they have 
been provided their z'-th input). Formally, 

paa « (rK; ® n§) PAlBl (n Kp + ® (^y), 

j<i j<i 

A ■ B 

where {M x '} and {N y 7 } are the Kraus operators corresponding to the measurement performed by devices 

A and B in round j respectively, and p A .B is normalized. Here p A \B\ = ^siPAiBis) * s trie reduced state 
of the devices at the start of the protocol. It is important to note that for any i the state p Ai Bi ma y depend on 
a measurement that is performed on system £ as soon as a particular outcome of that measurement is fixed. 

Measuring the CHSH condition. Given a set S C [m] and 5 > 0, CHSH_4g(S, 5) is the event that the 
tuple (X, Y, A, B) satisfies the CHSH condition (as described in Section[2]) in a fraction at least opt — 5 of 
the rounds indicated by S. If S is omitted, CHSH AB (S) = CHSH AB ([m],S). Letting Z G {0,1}'" be the 
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indicator random variable of the CHSH condition not being satisfied in any given round, we can write 



We also define VTOL_4s(i), where i G [m], to express the expected amount by which the CHSH condition 
in round i is satisfied: 



where here the expectation is taken over the choice of inputs (X,, Y,) in round i, and over the randomness 
in the devices' own measurements in round i. Note that VIOL_4g(z') implicitly depends on the specific state 
of the devices in round i, which may be affected by previous input and outputs obtained in the protocol 
as well as on other events that may be conditioned on. Hence the expression Pr(VIOL i/ 4g(i) < 5\E), for 
some event E, indicates the average probability, over all possible e G E, that the devices satisfy the CHSH 
condition in round i with probability at least opt — 5, provided their inputs are distributed according to the 
conditional distribution (X,, Y ; -)|E = e, and when performed on the post-measurement state of A <8> B in 
round i conditioned on E = e. For any 5 > we let VTOL_4,g(<5) be the event that (1/m) yj,- VTOL_4b(z) < 



The adversary. We introduce additional random variables that depend on the adversary Eve, holding the 
quantum register S. The adversary is described in Lemma [9] below; to understand the events below it may 
be useful to read that lemma's statement first. 

Let E G {0, 1}I C I be the random variable that describes the outcome of the measurement on £ described 
in Lemma|9] Note that this outcome depends on the "advice" that is given to the adversary. We use X, Y to 
denote the inputs that are given to the adversary, and Adv G {0,l} Km to denote the additional advice bits. 
These random variables need not equal the actual values X, Y, Adv: in general, the adversary's measure- 
ment is well-defined for any given advice bits, and E is used to denote its outcome irrespective of whether 
the advice given was "correct" or not. For any i G [m], define GUESSg^z) G {0, 1} to be 1 if and only if, 
either i G C and E { = B h or i £ C, and let GUESS Bf = A ! GUESS Bf (z). 

3.2 Information reconciliation and privacy amplification 

For convenience, we let £ ' := XYA^B^S denote the side information available to the eavesdropper. We 
show the following lemma, whose proof follows from standard arguments in the analysis of QKD protocols 
(see e.g. MRen0510 . We provide the relevant details below. 

Lemma 4. Let 7,£ > 0. Let e' = 2e~i'l c l / ' 400 . Suppose that, after Step \2\of Protocol A, the condition 
^min(Bc\£') — K |C| is satisfied. Then with probability at least 1 — e', at the end of the protocol Alice and 
Bob have a common shared key that is le-close to uniform and has length W min (Bo\£') — H(l.lzy)|C| — 



Information reconciliation. We first analyze the information reconciliation step. The following lemma 
states the conditions that are required for there to exist a satisfactory information reconciliation procedure. 

Lemma 5 (Lemma 6.3.4 in MRen0510 . Let A, B G {0, l} k be two random variables, and e > 0. Suppose 
Alice holds A, and Bob holds B. There is an information reconciliation protocol in which Bob communicates 
£ < Hf nax (B\ A) + log(2/e) bits of information about B to Alice and is such that with probability at least 
1 — e Alice and Bob both know B at the end of the protocol. 




VIOL AB (i) = E^-Cl-opt), 



5. 



41og(l/e). 
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To apply Lemma [5] it suffices to prove an upper bound on the conditional max-entropy H^ (flV (£>c|^c)- 
By definition of the rounds C, the CHSH condition in those rounds imposes that A, = B ; - for all i G C. 
Hence, were it not for errors, we would have H^ ax (B|A) = 0. The following claim shows that the bound 
on the eiTor rate that results from the estimation performed in the rounds B in Step[3]of Protocol B is enough 
to guarantee a good upper bound on the conditional max-entropy. 

Claim 6. Suppose Alice and Bob do not abort after Step\3\in Protocol B. Let C be the set of check rounds, 
as designated in Step^of Protocol A. Then H^ ax {B c \C c ) < H(1.1//)|C|, where e' = 2e~^ c \ /m . 

Proof. Fix the set C. The set B chosen by Alice and Bob to perform parameter estimation contains a fraction 
at least 7/2 of the rounds in C, except with probability at most e _7 ' c '^ 8 . The protocol is aborted as soon as 
more than an tj fraction of those rounds are such that a, ^ b^. Hence with probability at least 1 — e~ 7 l c l 7/200 
the total fraction of errors in C is at most 1.1?/. In particular, with probability at least 1 — e~Tl c l/ 400 over 
A c , with probability at least 1 - e -7|c|/400 > g c will take on at most 2 H(i.i»/)|c| va l U es. □ 

Privacy amplification. The following lemma states the existence of a good protocol for privacy amplifi- 
cation. 

Lemma 7 (Lemma 6.4.1 in MRen0510 . Suppose the information reconciliation protocol requires at most t 
bits of communication. Then for any e > there is a privacy amplification protocol based on two-universal 
hashing which extracts H^ ;jJ (Bc|£') — £ — 21og(l/e) bits of key. 

Lemma [4] now follows directly by combining Claim [6] with Lemma |7] and the assumption on the condi- 
tional min-entropy placed in the lemma. 

3.3 A lower bound on the conditional min-entropy 

The main result of this section is a lower bound on the conditional smooth min-entropy H £ mjn ( Be I XYAb B^S ) 
of the raw key. 

Theorem 8. Let r\ > be given. There exists positive constants C £ ,Cy (possibly depending on rj) such 
that the following hold. Let m be an integer and e > e~ Cfm be given. Let 7 = (Cy/ r] 2 ) ln(l / e) / m be as 
specified in Protocol A (Figure\J}. Let k be any constant such that k < (V2 — 1)/ (41n(2)) — (4/ ln(2))n. 

Suppose that the devices A, B are such that with probability at least e the protocol does not abort. 
Let £ be an auxiliary system held by an eavesdropper, who may also learn (X,Y) and (Ab,Bb). Then, 
conditioned on the protocol not aborting, it holds that 

H e min (B c \XYA B B B £) > k\C\ - 0(ln(l/e)). 

We note that the precise relation between the parameters k and rj stated in the theorem is the one that 
we obtain from our proof; however we have not attempted to optimize it fully and it is likely that one may 
be able to derive a better dependency. It is also clear from the proof that one may trade off the different 
constants between each other, depending on whether one is interested in the maximum possible key rate in 
the presence of very small noise, or to the opposite if one wishes to tolerate as much noise as possible. 

The proof of Theorem [8] is based on three lemmas. We state the lemmas first, and derive the theorem 
from them below. 
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3.3.1 The reconstruction lemma 

Our first lemma states that, if the min-entropy condition in the conclusion of the theorem is not satisfied, 
then there must exist a measurement on the system S, depending on X, Y, and £>b, together with some 
additional "advice" bits of information about Be, whose outcome E E {0,1} l c l agrees with Be with non- 
negligible probability. 

Lemma 9. LetK > and suppose that Yl e ■ (Bq\XYA^B-q£) < k\C\. Then there exists an a. = 7c|C|/m + 
2j + 0(log(m/e)/m) and a function f : {0, 1}I C I — > {0, l}(«- 2 7)'« sucn that, given the bits Adv = 
/adv(Bc)^bBb E {0, l} am together with the inputs X, Y, there exists a measurement on £ that outputs a 
string e E {0, 1}I C I such that with probability (over the randomness in B and in the measurement) at least 
Ce(s/ zzz) 6 , where Ce is a universal constant, the equality e = be holds. 

The proof of Lemma [9] is based on a "reconstruction"-type argument from MDPVR12II . A very similar 
argument was already used to establish an analogous lemma in IIVV11I . We give the proof of Lemma [9] in 
Section [5] 

3.3.2 Existence of a good round 

Our second lemma states the existence of a "good" round z'o E [m] in which both the CHSH condition is 
satisfied, and the outcome E; of the measurement described in Lemma [9] agrees with B; , with good prob- 
ability. Note also the additional condition d2J) in the lemma, which states that systems A and B are each 
close to being independent from the random variables Xi , Y,- describing the choice of inputs in round z'o. 
This condition is necessary for condition on the CHSH violation, to be of any use: indeed, without Q 
it could in principle be that the conditioning on specific outcomes in previous rounds, including the adver- 
sary's outcomes, completely fixes the choice of inputs in the z'o-th round. Conditions ©-(HJ) in the lemma 
correspond to conditions (i)-(iii) discussed in Section [L2l 

Eq. implies that the distribution that arises from the devices' measurements on the states p^. q. is, 
while not necessarily quantum, still no-signalling, and this is all that is required for the application of the 
guessing lemma, Lemma [TT] below. As explained in the introduction, proving this condition is an impor- 
tant point of departure of our proof from previous approaches, which used an assumption of independence 
between the devices or a limitation of the adversary in order to automatically obtain that (an even stronger 
form of) the condition held in all rounds without requiring any conditioning. 

We refer to Section l3TT1 for a description of the events CHSHyig and VIOLyig appealing in the statement 
of the lemma. 

Lemma 10. Let Adv be uniformly distributed in {0, l} am , and r\, e > be such that the following holds: 

Pr (CHSH^ B (z/) AGUESS B£: |Adv = Adv) > e, 

and let a = |ADv|/m. Then there exists a universal constant C v > 0, a v < C v Y / log(l/e)/m, an 
z'o E [m] and a set G lQ C ({0,1,2} x {0,1} x {0,l} 3 ) !o_1 such that for every (x,y,a,b,e) E G, , there is 
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a choice of x > j ,y > j Q and an ADV consistent with ((x, £>i ), (y>y>i )r a > b) such that the following hold: 

1 



max 



x,y 

pb 10 x iq y iq - pB i0 ® (gEl^yX^yOHJ ^ v ' w 

x,y 

VIOL AB (i ) <3rj + v, (3) 
Pr(GUESS B£ (i )) > 1 - 121n(2)« - v, (4) 



where in (0 f/ie state p a^B^x^y^ is the (normalized) state of the corresponding systems in round z'o, con- 
ditioned on (x,y,a,b,e), and similarly in (J3J) and (01) the violation is estimated conditioned on previous 
input/outputs to the devices being (x,y,a,b), and on Eve making her measurement based on the inputs 
(x, 2,x > i ) and (y,l,y>i ) and advice string ADV, and obtaining outcomes e as her prediction in rounds 

cn{i,...,! -i}. ' 

The proof of Lemma [lOl in given in Section [4] 
3.3.3 The guessing lemma 

We state the last lemma required for the proof of Theorem [8] A similar lemma already appeared in MVVllll . 
Here we give a slightly more general version of the lemma stated in a form that can be directly used in the 
proof of the theorem. 

Lemma 11 (Guessing lemma). Let S,v,t] > 0. Suppose given six bipartite states pj s , where x G {0, 1, 2}, 
y G {0, 1}, such that the following hold: 

1. If PA = (l/6)E, y Tr B (p^) and p B = (1/6) E xy ^Mp^), 

lj2\\PA- Pa\\i^ v and zEllfiB ~Pb 111 ^ v > < 5 ) 

x 'V x >y 

2. There exists observables A x = A x — A\, By = By — B y on A, B respectively that satisfy 

- (Tr((A ® B )p%) + Tr((A ® B 1 )p°} B ) 



4 V 

+ Tr((Ai ® B )p%) - Tr((Ai ® Bi)p^)) >^-rj, 

J. Bob's measurement B\ produces outcome b\ G {0, 1} w/f/i probability 1 — 6, when performed on his 
share of p^ : 

Tr((ld®B b S)p 2 i B )>l-6. 

Then the condition 
must hold. 
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Proof. For every (a,b,x,y) £ {0,1} 2 x {0,1,2} x {0,1} let p(a,b\x,y) := Tv((A a x ® B b y )pJ B ). Con- 
dition © implies that the distribution p is approximately no-signalling, in the following sense: on average 
over the choice of a uniformly random pair (x,y), the statistical distance 

ILL Lv{"Mx,y)-\L(Lv{aMx,y')) <IlL\ t <^x^)(p x 1b-p x ab))\ 

° x,y a b y' b ° x,y a 

^ 1 v -1 II xy x II 

- 7 U \\Pab~ P'abWi 
< 2v, 

and a similar bound holds for the marginals on B. Lemma 9.5 in HHol091l implies that there exists a distribu- 
tion q[a,b\x,y) such that q is (perfectly) no-signalling, and moreover, on average over (x,y) the statistical 
distance \\p(-, -\x,y) — q(-, • \x,y) ||i < lOv. In particular, the second assumption in the lemma implies that 
the distribution q must violate the CHSH inequality by at least s/2/2 — t] — 15v, and the third assump- 
tion implies that Y*a q(a, 1|2, 1) > 1 — 5 — 6Qv. Applying the bound (A.l 1) derived in the supplementary 
information to jPAM + 10ll with I /4 = y/l/ 2 — t] — 15v we obtain the inequality claimed in the lemma. □ 

3.3.4 Proof of Theorem 1 

We give the proof of Theorem [U assuming the lemmas stated in the three previous subsections. 

Proof of Theorem^ Let (X, Y, A, B) be random variables describing Alice and Bob's choice of inputs to A 
and B respectively, and the outputs obtained, in an execution of Protocol A. Let E = E(Adv) be the random 
variable that describes the outcome of the measurement on S described in Lemma |9l when the advice bits 
Adv are selected uniformly at random (independently from A and B). Denote by Adv = /adv(Bc)^bBb 
the "correct" advice bits. 

The proof proceeds by contradiction. Assume that there existed a pair of devices (A, B) such that 

Pr(CHSH4 B (B,//)) > e, R e min (B c \XYA B B B £) < k\C\, (6) 

where e, tj, k are as in the statement of the theorem. Denote GUES S (Adv) the event that E — Bq. Using 
Lemma|9j we deduce from © that the following must hold: 

Pr (CHSH^B,?/) AGUESS B£ ;(ADv)|Abv = Adv) 

= Pr (GUESS B£: (Abv)|CHSH^ B (B,//), Adv = Adv) 

•Pr (CHSH^ B (B,?/)|Abv = Adv) 
> C E (e/m) 6 - £ , (7) 

where Ce is the constant from Lemma [9] Since the rounds B are chosen uniformly at random, Claim [12] 
below states that, for any < B < 1: 

Pr(CHSH^((l + /3)j7)|CHSH^(B,7)) > (8) 

where 7 = |B| /m. Choose B = 1/3, and let rf := 4f//3. Provided C 7 is chosen large enough, the choice of 
7 made in the theorem is such that 7 > log(2m 6 /C £ e 7 ) /((2/9))/ 2 m), so that e-^V?'" < C E £ 7 /(2m 6 ). 
Hence we obtain the following by combining © and dU): 

Pr (CHSH^ B (?/ / ) AGUESS Bf (Adv)| Adv = Adv) > C E (e 7 /{2m 6 )) =: e'. (9) 
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We may now apply Lemma [TO] Let v = C 1 ,-^/log(l/e / )/ra, and z'o G [tn] be the "good" round that is 
promised by the lemma. We proceed to show that the existence of such a round leads to a contradiction by 
appealing to the guessing lemma, Lemma QTJ 

Consider the following setup. Alice, Bob and Eve prepare their devices by selecting a random string of 
inputs x , y for Eve, except that x , = 2 and yi g = 1 always. Eve guesses the advice bits Adv at random 
and makes a prediction E = e. Alice and Bob then use their devices up to round z'q — 1 by choosing inputs 
(x<; /l/<i ) = i. x <i >y<i )- They verify that the resulting outputs a <!o ,fc <!o are such that 

(*<!()' 3/<'0' fl <'0'^<!o' e <'o) ^ G; o ; 

if not they abort. Upon having succeeded in this conditioning they separate and play the guessing game. 
Alice holds system A, while Bob holds system B. 

Lemma [TOl shows that all conditions in Lemma [TT1 are satisfied: as a result, it must be that 

121n(2)a + v > ( — ~ 1 - 6rj' - 2v) -75v. 



By definition, provided the constant C v is large enough we have a < k/6 + 27 + v, where we used that 
|C| < m/6 + = m/6 + 0(y/1n(l/e)), as enforced in the protocol, and rj' = 4/3?/. Re-arranging 

terms and using the definition of v and 7 we obtain the condition 

^ V2-1 4 /iog(i/ e ; 

K > — Tj — 0\ 



41n(2) ln(2) ' V t] 2 m 
which, given the choice of k made in the theorem, is a contradiction provided C £ is chosen small enough. □ 
Claim 12. Let i],j>0. The following holds for any < j6 < 1: 

Pr(CHSH((l + /3)7)|CHSH(S,?/)) > 

where the probability is taken over the choice of a random subset S C [m\ of size \S\ = jm. 

Proof. Consider a given run of the protocol. Suppose that the fraction of rounds in which the CHSH 
condition is not satisfied is at least (1 — opt) + (1 + j3)j/. By a standard Chernoff bound, a randomly 
chosen set S C [m] will of size ym will have at least ((1 — opt) + 77)7772 of its rounds with inputs 
corresponding to the CHSH condition being violated, except with probability at most e - 2 P 2 l 2 7 m _ □ 



4 Proof of Lemma [10] 

This section is devoted to the proof of LemmafTOl Let D be the event CHSH^(f]) A GUESSgg: the main 
assumption of the lemma states that Pr(D| Adv = Adv) > e. We first prove two preliminary claims which 
establish that, provided £ is not too small, conditioning on D does not affect either the distribution of inputs 
(X;, Y;) or the reduced density matrices of the inner state of each device's system in most rounds i by too 
much. 

Claim 13. Suppose that, in Protocol B, Alice and Bob choose inputs (X, Y) G {0, 1, 2} m X {0, l} m uni- 
formly at random, obtaining outcomes A,B £ {0, l} m . Suppose that £ is measured using Eve's guessing 
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measurement (as described in Lemma&D with inputs (X, Y) = (X, Y) and advice bits Adv = Adv, re- 
sulting in an outcome E G {0, 1}' C L Let PxjYj be the marginal distribution of the inputs in the i-th round, 
conditioned on (X<i, Y<;, A< 1 - / B<;, £<;) = 3/<!'/0<!/fr<;/£<!') G D<,-, the projection of D on the first 
(i — 1) coordinates. Then the following bound holds on expectation over (x < i,y < i,a < i,b < i,e < j): 



m V 1 ™ " 3x21,1 " V^^' 
where 1^x2 is the uniform distribution on {0, 1,2} x {0, 1}. 

Proo/ The Shannon entropy H(X,Y) = log(6)m, and conditioned on D, H(X,Y|D) > log(6)m — 
log(l/e). Applying the chain rule, 

IEh^YIX^Y^D^) > log(6)-i^i 
Using the classical Pinsker's inequality as ||-Px;Y ; ~~ LZ3 x 2 1 1 1 

< y/(log{6) - H(X i/ Y / ))/2 and Jensen's 

inequality we get 

1 nip ij ii < ,/S5Z5 
mV 1 ™" 3x21,1 V^^' 

proving the claim. □ 

The fact that D depends both on the choice of inputs (X, Y) and on the adversary's measurement out- 
come implies that conditioning on D could not only bias the distribution of (X, Y) but also introduce cor- 
relations between (X, Y) and the reduced state p^g of the devices. The following claim shows that, if D 
is an event with large enough probability, the correlations introduced by this conditioning do not affect the 
reduced state on either A or B by too much, for most rounds i. 

Claim 14. Consider the same situation as described in Claim \T3\ Let p^ x Y denote the reduced den- 
sity of the joint state of systems A (in round i) and X^Y;, conditioned on (X <(/ Y<„ A <( , B <;/ E <; ) = 
(x < i,y < i,a < i,b < i,e < i) G D <; . Then the following holds on expectation over (x <! -,y < j / 0<j / & <!/ e < j): 



-E PA**- PA® (7El*'y>< x '3/l) < 4^1og(l/e)/m. (10) 

i x,y 1 

Moreover, the same bound holds when A[ is replaced by Bp 

Proof. We use Claim [27] Alice's sequential measurements are taken to be the ones performed on A, while 
Bob's measurement is the combination of the measurements on B, together with Eve's measurement, on 
inputs X, Y and advice bits Adv = Adv obtained from B. We set X in the claim to be XY here, and the 
outcomes B in the claim to BE here. Together with the assumption Pr(D|ADV = Adv) > e, the claim 
shows that 

Iri^Y^) < 

Using Pinsker's inequality (Q]) together with Jensen's inequality, 



1 



1 



~E P^/X / y 1 -® (7El x '3/X x 'yl) 1 < 4^/log(l/e)/m, 

where we used Claim[l3]to show that the marginal distribution of (X;, Y,) is close to uniform on {0, 1, 2} x 
{0, 1}, even conditioned on D < ;. □ 
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The following claim replaces the event that the CHSH condition is satisfied in a large fraction of rounds 
by the event that their exists many rounds in which the CHSH condition is likely to be satisfied (when 
evaluated on the state of the devices in that round). 

Claim 15. There exists asetTQ [m] such that \T\ > 2m/ 3, and a subset D' C D such that Pr(D'|D) > 
1/2 and for every i £ T, conditioned on ADV = ADV and on inputs and outputs to the devices in rounds 
prior to i being in D', the condition VIOL w 4 j g(z) < 3t] + 6yln(l /e)/m holds. 

Proof. Let Z; G {0, 1} be 1 if and only if the CHSH condition is not satisfied in round i. By definition, 

E[Z f ] = (1 - opt) + VIOL4 B (z'). Let W,- = E[Z f ] - Z; and W<; = W 1 H h W f . (W<j)j is a 

Martingale, and by Azuma's inequality, for any /3 > 

Pr E VIOL^(f) + (1 - opt) > I £ Z, + /j) = Pr (I £ W f > /} 

! ! £ 

Since the string ADV is chosen by the adversary uniformly at random, we may further condition the equa- 
tions above on Adv = Adv without affecting their validity. Note that the event CHSH^g^) is equivalent 
to Ti^i Z i - (1 _ °P t ) + V- Choosing f> = y / 2ln(2/e) /m, so that e^^ m/2 < e/4, and using the 
assumption Pr(D|Abv = Adv) > £ to further condition on D = CHSH_4g(f/) A GUESSgg we get 

Pr(— £viOL^ B (i) > 7/ + j S|D / Adv = Adv) < 1/2. 

772 

The quantity VlOL^(i) is a nonnegative number which only depends on the state of the devices in round 
i, itself only depending on the string of inputs and outputs observed thus far. Applying Markov's inequality, 
the condition above implies that there is a set T C [m] of size \T\ > 2m/ 3 and a subset D' C D of size 
Pr(D'|D) > 1/2 such that for every i £ T it holds that V10Lj(i3(i) < 3(rj + /3), provided previous inputs 
and outputs of the devices were in D'. □ 

Proof of Lemma\W\ Let D' be the set from Claim[l3] Consider the state of the devices A and B in an arbi- 
trary round i of the protocol. By applying Markov's inequality to the bound (flOl ) from Claim[l4j we obtain a 
set \T'\ C [m] of size \T'\ > llm/12 and a subset D" C D' satisfying Pr(D // |D / ) > 1/2 such that, for ev- 
ery i £ T, conditioned on Adv = Adv and (X <(/ Y < ,, A <ir B <!/ E <! ) = (x < ,-,i/ <!/ fl< !/ b <!/ e <! ) e D"-, 
both bounds 

Pa.x.y, ~ PA, ® (tE l x '3/)( x 'yl) ^ 200yiog(l/e)/ra 
*,y 1 

and the analogous bound where A{ is replaced by £? ; hold. Letting T" = T'nT, where T is the set from 
Claim[l5] both the bound above and the condition YlOL^(i) < 3tj + 6^111(1/ e) /m hold simultaneously 
in the rounds from T" (conditioned on previous inputs and outputs being in D"). Furthermore, note that 
whether both conditions are satisfied or not only depends on the (post-selected) state of the protocol in round 
z, itself only depending on subsequent choices of inputs and outputs in the protocol to the extent that the 
condition Adv = Adv is satisfied. Hence as long as the advice bits Adv that Eve uses to select the mea- 
surement on her system have a positive probability of being the correct advice bits, given the data generated 
up to round i — 1, both bounds must hold verbatim. As a consequence, for any fixed (x,y,a,b,e) G D" ; - 
there exists a string (x>i,y>i,ci>i,b > i) from which advice bits Adv >; can be computed such that if Eve 
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makes the corresponding measurement, and obtains outputs that match e <; , the bounds will hold irrespective 
of what might happen if the protocol was to be run for rounds after i. Thus conditions (0 and © in the 
lemma hold for any round i G T". 

It remains to show that condition © holds simultaneously in some round i$. Since by construction 
Pr(D"|ADV = Adv) > e/4, multiplying by Pr(ADV = Adv) = 2~ a '", applying Baye's rule, and using 
the definition of D = CHSH^jy) A GUESS B£: , we get 

m 

nPr(GUESS B£ (i)|D^.) > (e/4)2- a '". 

i=l 

Taking logarithms and applying Markov's inequality, there is a subset S C [m] of size |S| > m/2 such that 
for every i G S, 

-lnPr(GUESS B£ (z)|D^) < 2(ln(2)« + ln(4/e) /m), 
implying that, for all i G S, 

Pr (GUESS B£ (z')|D^) > 1 - 21n(2)a - 21n(4/e)/m. (11) 

Let z'o be any round in T" (IS. To obtain (HJ) we need to further condition dTTT > on inputs in round z'q to be 
the pair (2,1), which using Claim [T3l happens with probability 1/6 ± 0(y/h\.(l/e)/m). Choosing C v in 
the lemma to be a large enough constant, all three conditions are satisfied. □ 

5 The quantum reconstruction paradigm 

In this section we prove a general lemma, Lemma[22]in Section ISl2l below. from which Lemma|9]is deduced 
in Section [531 We start with some useful preliminary definitions and known results. 

5.1 Combinatorial preliminaries 

We first define extractors. 

Definition 16. A function Ext : {0,1}" x {0,l} rf — > {0,l} m is a quantum-proof (or simply quantum) 
(fc,£)-strong extractor if for all states pxE classical on X with H m , f3 (X|£) > k, and for a uniform seed 
Y E {0,l} d , we have 

2 \\PExt(X,Y)YE ~ PU m ® PY ® PE ^ < £, 

where pu m is the fully mixed state on a system of dimension 2 m . 

We will use list-decodable codes. 

Definition 17. A code C : {0, 1}" — > {0,1}" is said to be (e, L) -list-decodable if every Hamming ball of 
relative radius 1/2 — e in {0, 1}" contains at most L codewords. 

There exist list-decodable codes with the following parameters. 

Lemma 18. For every n G N and 5 > there is a code C„ /S : {0,1}" -» {0,1}", w/zzc/i is {5,1/ 5 2 )-list- 
decodable, with n = poly(n, 1/8). Furthermore, C H/ $ can be evaluated in time poly(n, 1/5) and n can be 
assumed to be a power of 2. 
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For example, Guruswami et al. BGHSZ02I combine a Reed-Solomon code with a Hadamard code, ob- 
taining such a list-decodable code with n = 0(n/£ 4 ). 

We will also use the notion of weak design, as defined in IRRV02I . 

Definition 19. A family of sets S\, • ■ ■ , S m C [d] is a weak (t, r, m, d)-design if 

1. For all i, |S;| = t. 

2. For all i, £H 2 |s ; nSil < rm. 

There exists designs with the following parameters. 

Lemma 20 ( HRRV02I Lemma 17]). For every t,m G IN there exists a weak (t, 1, tn, d)-design S\, . . . , Sm C 
[d] such that d = t [j^,] [log 4m] = 0(f 2 logm). Moreover, such a design can be found in time 
poly (m,d) and space poly(m). 

Finally, we describe Trevisan's extractor construction. 

Definition 21. For a one -bit extractor C : {0,1}" x {0, l} f —> {0,1}, and for a weak (t,r,m,d)-design 
Si, • • • , S m C [d], we define the m-bit extractor Extc '■ {0, 1}" x {0, l} d — > {0, l} m as 

Ext c {x,y) := C(x,y Sl ), . . . , C(x,y Sm ). 
5.2 The reconstruction lemma 

The following lemma is implicit in the proof of security of Trevisan's extractor construction paradigm 
against quantum adversaries given in MDPVR12I . A similar lemma also appeared in llVVlli Lemma 13], 
where the code C was specialized to the £-XOR code. For completeness, we state and sketch the proof of a 
more general variant of that lemma. 

Lemma 22. Let n,m,r,t,L be integers and e > 0. Let C : {0,1}" — > {0,1}" be a (e 2 / (8m 2 ), L) -list- 
decodable code, where n = 2 1 . Let Extc be the extractor obtained by combining C with a (t, r, m, d) design 
as in Definition |27] 

Let pxE be a state such that X is a random variable distributed over n-bit strings. Let U m be uniformly 
distributed over m-bit strings, and suppose that 

\\pExt c (X,Y)YE ~ PU m ® PY ® PE^ > 6, (12) 

where Y is uniformly distributed over {0, l} d . Then there exists fixed strings y\, . . . ,y rm G {0, l} 1 such 
that, given the {(t/j, C(X) l/; )} as advice, with probability at least e 2 / (8m 2 ) over the choice of x ~ px and 
her own randomness an "adversary" Eve holding system E can produce a string z such that d^(z, C(x)) < 
1/2 — e 2 / (8m 2 ). In particular, Eve can recover L strings Xj G {0, 1}" such that there exits i, = x. 

Proof. Proposition 4.4 from MDPVR121 shows that a standard hybrid argument, together with properties of 
Trevisan's extractor (specifically the use of the seed through combinatorial designs), can be used to show 
the following claim. 

Claim 23. Assume (|12l) holds. Then there exists strings y\,.. . ,y r m £ {0, 1} , and for every y G {0, 1}* a 
binary measurement, depending on the {(]/;, C(X)y.)}, on E that outputs C(X,y) with probability at least 
1/2 + e/m on average over y. Formally, 

\\Pc t (X) Y YVE -PU X ®PY ®PVe||! > ^/ (13) 
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where Y is a random variable uniformly distributed over {0, 1} and V is a classical register containing the 

{(y,-,C(X) yi )}. 

The next step is to argue that Eq. (PT3T ) implies that an adversary given access to E' = VE can predict 
not only a random bit of C(X), but a string Z of length m such that Z agrees with C(X) in a significant 
fraction of positions. This follows from an argument given in [KT08 ], and the following claim is proved 
exactly as HVV11I Claim 15]. 

Claim 24. Suppose (1131 ) holds. Then there exists a measurement T, with outcomes in {0, 1}", such that 

,~lUS c ^ = c ^ VE ^A+£?' <14) 

where J-(VE) denotes the outcome of J- when performed on the state pvE- 

To conclude the argument, we use the error-correction properties of C to argue that Eve can decode her 
string C(J-"(VE)) into an educated guess of x. Claim 1241 shows that, on expectation over x, Eve's string is 
at Hamming distance 1/2 — e 2 / (Am 2 ) from the encoding of x. In particular, the distance will be at most 
1/2 — e 2 /(8m 2 ) for a fraction at least e 2 / (8m 2 ) of x ~ px- Since, by assumption, C is (e 2 / (8m 2 ), L)- 
list-decodable, for those x Eve can narrow down the possibilities to at most L distinct values. □ 

5.3 Proof of Lemma |9] 

The proof of Lemma [9] follows immediately from Lemma |22~1 and an appropriate choice of parameters. Let 
E denote the system made of the combination of XYA^B^S , and let n = |C|. The assumption of the 
lemma is that H £ min (Bc\E) < Kn. Let m = xn + 1. Let C = C ni $, where 5 = e 2 /(32m 2 ), be a (3,1/ S 2 ) 
list-decodable code, as promised by Lemma [T8l Let Extc be constructed from C and a (t, 1, m,d) design, 
where t = logn and d = 0(t 2 logra), as promised by Lemma 1201 

It follows from the data processing inequality (see e.g. BKR11I Lemma V.l (ii)]), our assumed upper 
bound on H £ mjn (£>c I E) . an d our choice of m that Eq. (fT2l holds with (e / 2) in place of e. Thinking of Eve as 
simply outputting one of her L guesses x,- chosen at random, we obtain that Eve's guess will be successful 
with probability at least e 2 / (32Lm 2 ). Overall, Eve needs m bits of advice, given which she can predict x 
with success probability 0(£ 6 /m 6 ), given our choice of parameters. 



6 Additional lemmas 

Lemma 25 (Azuma-Hoeffding inequality). Let (X^) be a martingale such that |Xj. — Xj._i| < for all k. 
Then for all integers m and all t > 0, 

Pr(X m -X >t) < e - f/ ^ c l\ 

Lemma 26. Let E,S,t],fi > and m an integer such that e~ 2 P &m < e/2. Let X be a random variable 
defined over m-bit strings. Suppose that Pr(yj,- X ; - < rjm) > £. Then there exists a set G Q {0, l} m such 
that Pr(G) > s/2 and for all x in G,for a fraction > 1 — S of indices i G [m], 

Pt(X i = 0\X <i = x <i )>l-t ] -p. 

As a consequence, for a fraction at least 1 — 25 ofi G [m] there exists a set Gj C G such that Pr(G,|G) > 
1/2 and for every x<; G G„ 

Pr(X f = 0|X<i = X<i ) > 1 - t] - p. 
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Proof. For every i G [m] define 

Bi = {{xi,...,Xi-x, ...,x m ) \ Pr(X; = l|X<j = x <f -) > rj + &}, 

let 



|x| ^ — 5m^, 



i-.xeBi 

and suppose towards a contradiction that Pr(B) > 1 — e/2. Let B = {x G B| x ; < r\m\. By definition, 
foreveryx G B and at least a ^-fraction of indices lit holds that Pr(X, = 1|X <( = x <( ) > t] + B. Hence the 
probability that x G B has less than 7/ indices at which X; = 1 is at most e~ 2 P Sm , i.e. Pr(B|B) < e~ 2 P 2&m . 
This shows that 

Pr(£X;>7/m) > Pr(B)(l-Pr(B|B)) > (1 - e/2) (l - e - 2 /^" ! ) > 1-e 

given our assumption on e, J, ?/, B and m; a contradiction. 

For the "consequence", for any x G G and i G [m] let Y X/! = 1 if and only if the condition 

Pr(X; = 0|X<j = x< ; ) >1-j/-j6 

is satisfied. We have shown E xGG > 1 — ^- The result is then a consequence of Markov's 
inequality. □ 

Claim 27. Let p = pj^Q be a bipartite state shared between Alice and Bob. Suppose Bob chooses x G X'" 
according to distribution (p x ), and applies a measurement with Krauss operators {N^}fc e ,Bm on B. Alice 
sequentially applies a measurement with Krauss operators {Mx }a €A on A, for i = 1, . . . ,m. Let D C 
(X x A x B)" ! be a set of probability Pr(D) = e. For i G [m], let pi be the state of the system ABXj after 
i — 1 measurements have been performed by Alice, conditioned on (x <! - / £?<;) G D <; v 



e p* ( ( n m ?) ® n*) P ( ( n (m?) + ) ® (n, 6 ) 

(x / fl,fc):(x < ;,« <; ,fc < ;)GD <i /<! ;'<! 



I '' ' 



a«J is normalized. Then the following bound holds: 

^IiA-.XilD^ < log(l/e). 

i 

Proof. We prove the lemma using standard techniques from quantum information theory; specifically the 
proof of the Holevo-Schumacher- Westmoreland theorem Eol98[ [Sch96B . We assume that the reader is 
familiar with the coding and decoding strategies employed in that result, and in particular the notion of 
typical subspace (see e.g. [Chapters 14 and 191 BWilllll . and more specifically the proof of Theorem 19.3.1). 
We prove the claim by describing an experiment by which Bob transmits H(X) bits of information to Alice 
using only H(X) + log(l/e) — Ya '• Xj) P! bits of communication from him to Alice. This implies the 
claimed inequality: if it did not hold Alice could guess Bob's H(X) bits with success larger than 2~ H ( X ) 
simply by running the protocol by herself, and guessing Bob's messages. 

Suppose Alice and Bob share an infinite number of copies of p. For each i G [m], Alice and Bob 
also agree on a random code Cj C X K , where K is a large integer, such that \Cj\ = 2 KI ^ :X, ' D< '^i. By the 
properties of typical subspaces, with high probability over the choice of C\ the collection of states ^ =1 Pi(x'j) 
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for (x[, . . . ,x' K ) G C, where Pi(x'j) is the reduced density of pi on A conditioned on X, = xL are almost 
perfectly distinguishable^ 

The experiment proceeds as follows. The copies of p are grouped in groups of K. For each group, Bob 
selects a random x = (^)i<Km,i<;'<K £ (X m ) K and applies the measurements {N x j} in the y'-th copy of 
p in that group, obtaining an outcome V G B m . For each i G [m], Alice does the following, independently 
for each group. She guesses whether Bob's choice of (xj, . . . , xf) is in C, (the probability with which she 
guesses this should be so is equal to the probability that X\ G Cj, i.e. 2 K ^ I( - A:Xi ^ D<i ^^ H ^ Xi ^). If so, she 
performs the decoding measurement to recover X;. If not, she guesses (xj, . . . , xf) according to p xK . She 

d 

then applies the measurements {M j} corresponding to the guessed (xy. At the end of the m repetitions, 

Alice sends all her guesses, and her outcomes, to Bob. 

Finally, Bob finds the first group of K states in which Alice's guesses were all correct, and [x) , a) , V) G 
D (for each 1 < / < K). In any group, the probability that this event happens is 2~ K ( H(x )~ Ei l ( A:X i\ D <i)pi) e K . 
Moreover, note that Alice's probability of correctly guessing Bob's choice of (x\) is independent of (x^). 
Hence Bob can indicate to Alice the index of the first group of states on which she was correct by transmitting 
0(2Uog(l/e) + K(H(X) - Zi I (A : X,|D < ,)p ; )) bits. Alice then knows all KH(X) bits of information 
about Bob's choices of x in the m rounds on the group of K states. □ 
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